Using Active Directory Federation Services R2 Beta 2 and...

Microsoft Confidential

Using Active Directory Federation Services

R2 Beta 2 and Windows SharePoint Services

2 Using Active Directory Federation Services – R2 Beta 2


This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred.

© 2004 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Outlook, SharePoint, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Using Active Directory Federation Services – R2 Beta 2 3


Lab Contents

ADFS Overview .......................................................................................... 5 Lab Objectives ........................................................................................... 5 Lab Scenario .............................................................................................. 5 Lab Environment Overview........................................................................... 5 Federation Process Overview ........................................................................ 6 Section Zero: Configuration of Supporting Infrastructure .................................. 7 Section One: Setting up UPN to UPN mapping................................................. 7

Install Web Service (WS) on SharePoint Machine (HOL162-SPS) .................... 7 Configure Traditional Application Web Server............................................... 8 Add Active Directory Account Store ...........................................................10 Configure Alternative UPN suffixes ............................................................10 Add local account for Alan Steiner to Active Directory ..................................10

Add Traditional Application Wizard .........................................................11 Send invite letter to Alan .........................................................................12 Check Alan’s Invite .................................................................................13

Section Two: Configure Group to UPN Mapping ..............................................14 Configure Group at A. Datum ...................................................................14 Configure Resource Site for Group to UPN mapping .....................................15 Add local account for Reader user to Active Directory ..................................15

Configure Group to UPN in ADFS ...........................................................16 Configure Windows SharePoint Services for Group to UPN mapping ............17 Test Site with Alex ..............................................................................17



ADFS Overview

Active Directory® Federation Services (ADFS) provides extranet authentication/authorization, single sign-on (SSO) and federated identity services for Windows Server™ environments. With ADFS, you will be able to extend the value of an Active Directory investment to B2C extranet, intra-company (multi-forest) federation and B2B internet federation scenarios using browser applications. ADFS provides a flexible, secure, easy-to-deploy solution for extranet user management tightly integrated with the Windows® platform, while simultaneously built on standards-based concepts to ensure interoperability with existing access management solutions. Ultimately, ADFS promotes increased IT efficiency, while providing for easier secure collaboration among business partners. ADFS will ship as a feature of Windows Server 2003 “R2”, scheduled for 2H 2005.

Lab Objectives

This lab is designed to walk the reader through the process of setting up Active Directory Federation Services (ADFS) Beta 2.

This lab covers ADFS setup in a passive (browser-based) federated Windows SharePoint® Services among two business partners (B2B), including:

• Installing ADFS Beta 2 on the Windows SharePoint Services • Modifying a trust relationship among business partners • Integrating with Windows SharePoint Services that ship with Windows Server

20003 “R2”

Lab Scenario A. Datum (the account) builds and sells computers. Trey Research designs and sells memory chips. One of A. Datum’s vendors is Trey Research. Trey Research has asked Alan Steiner – an A. Datum employee - to review a new specification for a new memory chip coming out next year. Trey Research has an extranet containing Windows SharePoint Services that it uses to collaborate with its customers with. ADFS allows administrators at the two companies to establish a federation trust, whereby Trey Research site owners can invite customers to participate in collaborative discussions on next generation products.

Lab Environment Overview Four Virtual Machines are used throughout the lab. Two of the Virtual Machines represent the Federation Servers for each organization, the third represents a client, and the fourth is the Windows SharePoint Server. The Resource, Account, and Windows SharePoint Virtual Machines are running Windows Server 2003 and the third Client Virtual Machine runs Windows XP. These are all connected to an Internal Network, allowing them to communicate via a private network.



Trey Research’s first Virtual Machine contains a Federation Server and Active Directory. Trey Research’s second Virtual Machine contains Windows SharePoint Services and ADFS Web Agent. A. Datum’s Virtual Machine contains a Federation Server and Active Directory.

Federation Server Federation Server `

Client (Eric)

Resource VPCWindows Server 2003

Trey Research

Account VPCWindows Server 2003

A. Datum

Client VPCWindows XP

Eric Parkinson

Web Server

Active Directory Active Directory

SharePoint VPCWindows Server 2003

Trey Research

Virtual Server Lab Configuration

This is a simplified environment that includes services deployed on a single machine, minimizing the number of machines while allowing a fully functional federation environment. Deployment scenarios would include an expanded set of machines spanning multiple firewalled networks. Virtual Server uses several alternative key combinations. When logging into an image, use (right) Alt-Delete instead of Ctrl-Alt-Del. To put a Virtual Machine into full screen mode use (right) Alt-Enter. To exit full screen mode use (right) Alt.

Federation Process Overview Configuring the resource and account sides is usually carried out by two different organizations or units. In this lab, both sides are configured by a single administrator. The order of the lab starts with installing ADFS on both sides, and then the configuration of the resource side followed by the account side. The tasks within the lab may be rearranged in other orders depending on the relationship between the account and resource partners, and the stages of their ADFS deployments.



Section Zero: Configuration of Supporting Infrastructure NOTE: You may wish to skip this section if your lab environment has been

preconfigured by an instructor. When beginning this lab without preconfigured Virtual Machines, there are several pieces of supporting infrastructure that are required. These steps detail the creation of the base images used during this lab and should be performed by the instructor. These steps offer guidance in how to setup a lab environment, although a basic familiarity is assumed with the following steps since lab environments differ. As outlined in the Lab Environment Overview section, each of the Virtual Machines is serving multiple purposes. The following is a summary of required pre-configuration components. Account Virtual Machine

Resource Virtual Machine

Sharepoint Virtual Machine

Active Directory Domain Controller

Active Directory Domain Controller

Internet Information Services (IIS)



ASP.NET

ASP.NET ASP.NET Windows Sharepoint Services

DNS (adatum.com) DNS (treyresearch.net)

Section One: Setting up UPN to UPN mapping IMPORTANT NOTE: Begin the lab at this section if your lab

environment has been preconfigured by an instructor. For Beta 2, installation of ADFS is performed within Add/Remove Windows Components. In this scenario, you will be adding to the configuration from HOL161. (A completed HOL161 has been provided.) Trey Research is providing a collaboration site for partners to access. A. Datum will be one of those partners. Trey Research will have two Virtual Machine. One consists of the Federation Service that you installed and configured in HOL161 and the second will has Windows SharePoint Services on it. You will start out on the Windows SharePoint Services Virtual Machine and install the ADFS Web Services Agent.

Install Web Service (WS) on SharePoint Machine (HOL162-SPS) Log on to HOL162-SPS using the following credentials:



Username: TREYRESEARCH\Administrator Password: Passw0rd

1. Click Start Control Panel Add or Remove Programs.

2. Click Add/Remove Windows Components.

3. Highlight Active Directory Services and click Details.

4. Highlight Active Directory Federation Services and click Details.

5. Highlight ADFS Web Services Agent and click Details.

6. Check Traditional Applications.

7. Click OK.

8. Click OK.

9. Click OK.

10. Click Next.

11. Click Finish.

Configure Traditional Application Web Server Now you will configure the Web Server for the Traditional Application. Perform the following actions from the SharePoint Server, Trey Research (HOL162-SPS). Username: Administrator Password: Passw0rd

1. Click Start Administrative Tools Internet Information Services (IIS) Manager

2. Expand Beta2-SPS2 (local computer).

3. Right-click on Web Sites and click Properties.

4. Select the ADFS Web Service Agent tab.

5. In the Federation Service URL: type https://rpbeta2.treyresearch.net/adfs/fs/FederationServerService.asmx.

6. Click OK.

7. Expand Web Sites



8. Right-click on Default Web Site and click Properties.

9. Select the Home Directory tab.

10. In the Application settings section click the Configuration… button.

11. Verify that the following entry is in the Wildcard application maps (order of implementation): section C:\WINDOWS\system32\ifsext.dll. if it is skip to step 17, else continue.

12. Click the Insert… button.

13. Click the Browse… button.

14. Navigate to the C:\WINDOWS\system32 directory and select ifsext.dll and click Open.

15. Uncheck Verify that file exists.

16. Click OK.

17. Click OK.

18. Select the ISAPI Filters tab.

19. Click the Add… button.

20. In the Filter name: field enter ADFS Filter.

21. Click the Browse… button.

22. Navigate to the C:\WINDOWS\system32 directory and select ifsfilt.dll and click Open.

23. Click OK.

24. Click OK.

25. Right-click on Default Web Site and click Properties.

26. Select the ISAPI Filters tab.

27. Select the ADFS Filter entry and click Move up.

28. Select the ADFS Web Service Agent tab.

29. Check Enable Active Directory Federation Services Web service agent.

30. The two fields should will be automatically populated. For this lab use the default values.

31. Click OK.

32. Click OK.



Add Active Directory Account Store Perform the following actions from the Resource Side, Trey Research (HOL162-Resource). This is done so Trey Research users can mange the Windows SharePoint Site. Username: Administrator Password: Passw0rd

1. Click Start Administrative Tools Active Directory Federation Services.

2. Expand the Federation Service node.

3. Expand the Trust Policy node.

4. Expand the My Organization node.

5. Right-click Account Stores and select New Account Store...

6. Click Next.

7. Verify that Active Directory is selected and click Next.

8. Verify that Enable this account store is selected and click Next.

9. Click Finish.

Configure Alternative UPN suffixes Perform the following actions from the Resource Side, Trey Research (HOL162-Resource). Username: Administrator Password: Passw0rd

1. Click Start Administrative Tools Active Directory Domains and Trusts.

2. Right-click Active Directory Domains and Trusts and select Properties.

3. In the Alternative UPN suffixes field type adatum.com and then click Add.

4. Click OK.

Add local account for Alan Steiner to Active Directory Perform the following steps on the HOL162-Resource Virtual Machine.



5. Click Start Administrative Tools Active Directory Users and Computers.

6. Right-click on the treyresearch.net folder and select New Organizational Unit.

7. In the Name field type Federated Accounts and click OK.

8. Expand treyresearch.net.

9. Right-click on the Federated Accounts folder and select New User.

10. Type in Alan as the first name, Steiner as the last name, alan as the user logon name, and select @adatum.com from the User Logon name drop down.

11. Click Next.

12. Set the password to pass@word1, uncheck User must change password at next logon and check Password never expires.

13. Click Next.

14. Uncheck Create an Exchange mailbox and click Next.

15. Click Finish.

Add Traditional Application Wizard ADFS must be configured to recognize that a new traditional application has been added. A traditional application is an application that requires a Windows Security context to make authorization decisions. Perform the following actions from the Resource Side, Trey Research (HOL162-Resource). Username: Administrator Password: Passw0rd

1. Switch to the Active Directory Federation Services window or open it by clicking Start Administrative Tools Active Directory Federation Services.




5. Right-click Applications node, select New and select Traditional Application.



6. On the Welcome to the Add Traditional Application Resource Wizard page click Next.

7. On the Traditional Application Resource Name and Uniform Resource Locator (URL) page,

• In Application Name, type the name of the Application Resource, Windows SharePoint Services

• In URL, type the URL of the Application Resource, https://beta2-sps2.treyresearch.net/

and then click Next.

8. On the Token Protection Mechanism page, under Which method of protection will be used for tokens sent to this traditional application resource?, select

• Public Key Infrastructure (PKI)


9. On the Generating the Windows Authorization Token page, select claim type

• User Principal Name (UPN)


10. On the Enable this Traditional Application page, ensure Enable this application is checked and click Next.

11. Click Finish to add the new Traditional Application Resource and close the wizard.

12. Right-click Trust Policy and click Apply changes.

Send invite letter to Alan Now that the Traditional Application is configured, let’s now have Terry (SharePoint administrator for Trey Research) try using the SharePoint Site to invite Alan at A. Datum to the SharePoint Site. Perform the following actions from the Windows SharePoint Server (beta2-sps) Username: Terry Password: Passw0rd

13. Switch to the Windows SharePoint Server.

14. Log on to the Client computer with username: Terry with the password:



Passw0rd (you may need to logout as Administrator)

15. Launch Internet Explorer.

16. Go to https://beta2-sps2.treyresearch.net/

17. You may be asked to select your home realm the first time you hit the site. If you do select treyresearch.net and click the Submit button.

18. The sample logon page will appear. Click Submit in the Integrated Authentication section.

19. Click on the Site Settings link.

20. Click Manage users.

21. Click Add Users.

22. In the Users: field type [email protected].

23. Check Contributor and then click Next.

24. Click Finish. (If you want you can also send Alan a message.)

Check Alan’s Invite Now that the Terry has invited Alan to contribute to the site let’s see if Alan can get to the site. Perform the following actions from the A. Datum Client Workstation (HOL162-client) Username: alan Password: Passw0rd

1. Switch to the A. Datum Client Workstation (HOL162-client).

2. Log on to the Client computer with username: alan with the password: Passw0rd (you may need to logout as Administrator)

3. Launch Outlook.

4. In Alan’s Inbox there should be a message from [email protected]. Click on the link in the email.

5. You may be asked to select your home realm the first time you hit the site. If you do select Adatum and click the Submit button.

6. The Trey Research site will appear.



Section Two: Configure Group to UPN Mapping

Configure Group at A. Datum In this Lab we are going to create a group Support, and add a user Alex into it. Then we are going to configure this group to be sent to Trey Research as a group claim. Perform the following actions from the Account Side, A. Datum (HOL162-Account). Username: Administrator Password: Passw0rd


2. Right-click on Users and select New Group.

3. In the Group name: field enter Support

4. Click Next.

5. Click Next.

6. Click Finish.

7. Double Click Support.

8. Select Members tab.

9. Click Add.

10. Enter in the Enter the object names to select (examples): field Alex.

11. Click OK.

12. Click OK.





17. Right-click on Claim Definitions and select New Group Claim…

18. Enter Support, and click OK.

19. Expand Account Stores.



20. Select Active Directory.

21. Right-click on Active Directory and select New Group Claim Extraction…

22. Click Add…

23. Enter support and click OK.

24. If you get a Multiple Names Found dialog select support from the list and click OK.

25. In the Map to this Organization Claim: select Support

26. Click OK.

27. Expand Partner Organizations.

28. Expand Resource Partners.

29. Select Trey Research.

30. Right-click on Trey Research and select New Outgoing Group Claim Transform…

31. Select from the Organization Group claims: drop down Support.

32. Enter Support in the Outgoing group claim name:

33. Click OK.


Configure Resource Site for Group to UPN mapping In this lab, the reader user needs to be created and then ADFS need to be configured so that all incoming users from support have reader access to SharePoint. Perform the following actions from the Resource Side, Trey Research (HOL162-Resource). Username: Administrator Password: Passw0rd

Add local account for Reader user to Active Directory Perform the following steps on the HOL162-Resource Virtual Machine.




2. Expand treyresearch.net.

3. Right-click on the Federated Accounts folder and select New User.

4. Type in SPS as the first name, Reader as the last name, reader as the user logon name.

5. Click Next.

6. Set the password to pass@word1, uncheck User must change password at next logon and check Password never expires.

7. Click Next.

8. Uncheck Create an Exchange mailbox and click Next.

9. Click Finish.

Configure Group to UPN in ADFS Perform the following actions from the Resource Side, Trey Research (HOL162-Resource). Username: Administrator Password: Passw0rd




4. Expand the Partner Organizations node.

5. Expand the Account Partners node.

6. Select Adatum.

7. In the right pane right-click on User Principal Name, and select Properties.

8. Select the Groups tab.

9. In the From incoming group: field enter Support.

10. Click …

11. Enter reader, and click OK.

12. Click Add…



13. Click OK.


Configure Windows SharePoint Services for Group to UPN mapping Perform the following actions from the Windows SharePoint Service Machine, Trey Research (HOL162-SPS). Username: Terry Password: Passw0rd

1. Launch Internet Explorer and logon to the SharePoint Site.

2. Click Site Settings.

3. Click Manage Users.

4. Click Add Users.

5. Enter treyresearch\reader in the Users: field.

6. Check Reader.

7. Click Next.

8. Click Finish.

Test Site with Alex Now that we have the site configured let’s test it. Perform the following actions from the Client Workstation, A. Datum (HOL162-client). Username: Alex Password: Passw0rd 1. Logon as Alex.

2. Launch Internet Explorer

3. Enter into the Address field https://beta2-sps2.treyresearch.net/

4. Select Adatum and click Submit.

5. The site should then come up.

Using Active Directory Federation Services R2 Beta 2 and...

Documents

Transcript of Using Active Directory Federation Services R2 Beta 2 and...